Fess

We're pleased to announce the release of Fess 15.6.1.

This patch release adds HTTP proxy support for LLM clients, allowing deployments behind a corporate proxy to reach OpenAI, Ollama, Gemini, and other LLM endpoints without bespoke wiring. It also fixes a potential JavaScript escaping issue in the chat UI.

Improvements

AI Search Mode / RAG Chat

• LLM HTTP traffic now honors the workspace http.proxy.* settings, with optional Basic authentication, enabling AI Search Mode to work behind corporate proxies. Subclasses can override the proxy configuration per-client for finer-grained control. (#3128)

Bug Fixes

• Localized labels rendered inside the chat page JavaScript are now properly escaped via the new fe:escapeJs taglib function, preventing translations that contain quotes, backslashes, or control characters from breaking the chat initialization. (#3126)

We recommend upgrading to Fess 15.6.1 if you run AI Search Mode behind a corporate proxy or rely on heavily customized translations for the chat UI.

:scroll: Documentation
:package: Docker Image: GitHub Packages - codelibs/fess
:speech_balloon: Community Forum: discuss.codelibs.org

Thank you for using Fess!

We're pleased to announce the release of Fess 15.6.0.

This release adds support for OpenSearch 3.6, introduces a new distributed coordination system for multi-instance deployments, modernizes password storage with BCrypt hashing, and ships a major AI Search Mode (RAG Chat) overhaul along with a new log-based notification channel.

Highlights

• OpenSearch 3.6 Support
  Fess is now compatible with OpenSearch 3.6, taking advantage of the latest engine improvements and security fixes. The bundled kopf plugin has also been updated to 15.6.0.

• Distributed Coordination for Multi-Instance Deployments
  New distributed coordination system enables safer operation when running multiple Fess instances against the same cluster, providing a foundation for cluster-aware scheduling and maintenance tasks.

• BCrypt Password Hashing
  Local user passwords are now stored using BCrypt (Spring Security {bcrypt} format) via the new PasswordHashHelper. Existing SHA-256/512/MD5 hashes continue to work for verification and are transparently re-hashed to BCrypt on the next successful login (app.password.upgrade.enabled=true by default). Note: downgrading to a pre-BCrypt Fess release will invalidate {bcrypt}-encoded passwords — plan an admin password reset if you need to roll back.

• AI Search Mode (RAG Chat) Overhaul
  The experimental AI feature is rebranded from "AI Chat" to AI Search Mode and gains a substantially expanded RAG pipeline: pluggable LLM provider architecture, configurable per-prompt parameters and prompts, OpenAI reasoning model support, Gemini 3 thinking budget, search-filter UI, Markdown rendering, smart summary mode with turn-based history packing, query-regeneration fallback, source navigation via go URLs, and structured error codes surfaced in the UI.

• Log-Based Notifications
  ERROR / WARN log events can now be forwarded to Slack, Google Chat, or email, making it easier to wire Fess into existing operational alerting workflows.

Improvements

• AI Search Mode / RAG Chat

  • Extracted provider-specific clients into a plugin architecture (#3048)
  • Per-prompt-type parameter config and extra-params support (#3049)
  • Configurable RAG / chat prompts and simplified search-result flow (#3089)
  • RAG LLM provider selection in admin General settings (#3054)
  • Per-provider configurable max tokens and OpenAI reasoning model support (#3047)
  • Gemini thinking-budget support and streaming-parser fix for Gemini 3 (#3046)
  • Switch max_tokens → max_completion_tokens for newer OpenAI models (#3044)
  • Smart summary mode and turn-based conversation history packing (#3084)
  • Query-regeneration fallback for RAG search (#3083)
  • Granular error messages and structured LlmException error codes (#3082, #3050)
  • Markdown rendering for RAG chat messages (#3075)
  • go URL generation for RAG chat source navigation (#3067)
  • Search filter support and dropdown filter UI in RAG chat (#3063, #3068)
  • Custom highlight tags and improved evaluation content processing (#3055)
  • Configurable assistant message content for conversation history (#3052)
  • LLM access-type tracking in search log (#3071)
  • Configurable LLM log level in admin General settings (#3064)
  • Concise multilingual taglines for chat welcome title (#3051)
  • AI chat busy / error page and UI polish (#3043)
  • Improved rate-limit message and dedup of error handling (#3062)
  • Handle empty content with length finish reason for reasoning models (#3061)
  • Final SSE chunk content is now flushed instead of dropped (#3096)

• Security Hardening

  • Prevent prompt injection in RAG document context (#3065)
  • Prevent path traversal and symlink attacks in IndexExportJob (#3080)
  • Mask sensitive tokens in EntraIdAuthenticator debug logs (#3077)
  • Mask Authorization header value in SPNEGO error messages (#3078)
  • Tighten DANGEROUS_QUERY_PATTERN to only block *:* queries (#3059)
  • Additional security and concurrency hardening for RAG chat / LLM (#3058, #3060)
  • Update commons-fileupload API and improve IOException handling (#3079)
  • ACCESS_DENIED activity log on admin role-check failure (#3088)
  • Configurable audit log max length with corrected truncation order (#3098)

• Administration & Configuration

  • Expose all system.properties settings in the admin General screen (#3091)
  • Add config-index rebuild action to the maintenance page (#3097)
  • Surface previously missing SSO settings in the General admin page (#3110)
  • Split admin Notification section into Notice and Notify (#3092)
  • Add duplicate action for crawl configurations (#3104)
  • Improved validation messages and custom-field support on the search list page (#3102)
  • Null-safe handling for optional form fields in General settings (#3095)

• Logging & Observability

  • Automatic purging of click logs and favorite logs (#3112)
  • Differentiate log levels by HTTP status in SearchEngineApiManager (#3094)
  • Suppress WARN log noise for client errors in JSON API responses (#3100)
  • Enhanced RAG / LLM debug logging with consistent prefixes and levels (#3070, #3073)
  • Downgrade chat / LLM availability-check logs from DEBUG to TRACE (#3086)
  • Downgrade LLM lifecycle logs from INFO to DEBUG (#3119)
  • Include exception message in CPU stats warning log (#3108)
  • Register custom Log4j2 plugins via annotation processor (#3117)
  • Remove deprecated packages attribute from log4j2 config (#3121)
  • Add EcsLayout to LlmFile appender for Docker JSON logging (#3120)

• Crawler & Indexing

  • Use SitemapsRule for sitemap content validation (#3105)
  • Correct analyzer filters and dynamic-template names in index mappings (#3076)
  • Fallback URL resolution for relative paths with special characters (#3056)
  • Replace URI with URL in XpathTransformer and ProtocolHelper (#3066)
  • RankFusionProcessor boundary bug fixes and robustness improvements (#3106)

• API & Search

  • Return job log ID from the scheduler start API (#3103)
  • Robust handling of invalid Base64 in similarDocHash decoding (#3107)
  • Add ACCESS_DENIED audit signal on admin failures (#3088)

• Platform & Build

  • Upgrade Servlet API from 6.0 to 6.1 (#3090)
  • Complete migration of remaining javax references to jakarta namespace (#3109)
  • Improve translation quality and consistency across all languages (#3087)
  • Bump fess-parent to 15.6.0 (#3115)
  • Add compiled-script caching to GroovyEngine and improve DocBoostMatcher error handling (#3074)
  • Remove jakarta.activation, add oauth2-oidc-sdk dependency (#3081)

Bug Fixes

• Final SSE chunk no longer dropped in chat responses (#3096)
• Audit log truncation order corrected (#3098)
• Crawler URL escaping for relative paths with special characters (#3056)
• RankFusionProcessor boundary handling fixes (#3106)
• Null-safe handling for optional General-settings form fields (#3095)
• similarDocHash no longer throws on malformed Base64 input (#3107)

We recommend upgrading to Fess 15.6.0 to take advantage of OpenSearch 3.6 support, modernized password security, multi-instance coordination, and the substantially improved AI Search Mode.

Documentation
Docker Image: GitHub Packages - codelibs/fess
Community Forum: discuss.codelibs.org

Thank you for using Fess!

We're pleased to announce the release of Fess 15.5.1.

This release focuses on significant improvements to the AI Search Mode, introducing an abstracted LLM client layer, expanded model support, and enhanced configurability for both OpenAI and Gemini providers.

🔧 Improvements

AI Search Mode

• Introduced an abstracted LLM client layer with configurable system/user prompts, locale-aware responses, and unified context handling across providers
• Added per-provider configurable max tokens setting and support for OpenAI reasoning models (o-series)
• Added Gemini thinking budget support and updated the streaming response parser for compatibility with Gemini 3
• Fixed token parameter handling to use max_completion_tokens for newer OpenAI models, ensuring correct behavior with the latest API specifications

We recommend upgrading to Fess 15.5.1 to take advantage of the improved AI Search Mode with broader model support and enhanced configurability.

:scroll: Documentation
📦 Docker Image: GitHub Packages - codelibs/fess
💬 Community Forum: discuss.codelibs.org

Thank you for using Fess!

We're pleased to announce the release of Fess 15.5.0.

This release introduces an experimental AI Search Mode with OpenAI and Gemini support, a new Index Export Job for generating HTML files from search documents, CPU load-based request throttling, and a comprehensive set of security hardening improvements.

🚀 Highlights

• AI Search Mode (Experimental)
  New AI-powered search mode that combines large language models with Fess search. Users can interact with indexed content through a conversational interface, getting intelligent answers grounded in your search index. Supports both OpenAI and Google Gemini as LLM providers. This feature is experimental and disabled by default.

• Index Export Job
  New job to export search documents as HTML files, with a strategy pattern architecture supporting extensible export formats.

• CPU Load-based Request Control
  Automatic request throttling based on server CPU load, returning HTTP 429 responses when the system is under heavy load to protect availability.

🔧 Improvements

• AI Search Mode

  • Replaced keyword-based search with Lucene query generation for more accurate results
  • Improved UI with Atlassian Design System patterns
  • Added search progress messages for better user feedback
  • Added periodic availability checking for LLM clients
  • Migrated LLM HTTP client from OkHttp to Apache HttpClient 5 for improved reliability

• Security Enhancements

  • Added password policy validation for user creation and password changes
  • Prevented path traversal vulnerabilities in admin log download, design file upload, and JSP editing
  • Prevented LDAP injection in principal and filter construction
  • Enabled Kryo registration requirement to prevent remote code execution
  • Upgraded SAML default signature algorithm from SHA-1 to SHA-256
  • Used atomic file operations to prevent TOCTOU race conditions
  • Cleared plaintext passwords from memory after use
  • Added deprecation warnings for weak cryptographic algorithms
  • Masked sensitive values in environment variables and system properties logging
  • Reduced sensitive information in SAML logout warning logs
  • Added script execution audit logging

• Crawling & Indexing

  • Added configurable MIME type extension overrides
  • Deduplicated anchor URLs in crawler transformer
  • Fixed MIME type regex pattern escaping for special characters
  • Applied configured default exclude patterns in web crawler wizard

• Administration & Configuration

  • Improved admin error messages with contextual details
  • Migrated web authentication to WebAuthenticationConfig API
  • Expanded file path validation to support multiple allowed directories
  • Unified "algorism" terminology to "algorithm" across the codebase

🐛 Bug Fixes

• Fixed file path validation in admin to support multiple allowed directories

We recommend upgrading to Fess 15.5.0 to take advantage of enhanced security, improved system reliability, and the new experimental AI Search Mode.

:scroll: Documentation
📦 Docker Image: GitHub Packages - codelibs/fess
💬 Community Forum: discuss.codelibs.org

Thank you for using Fess!